ip forwarding - permission denied
Cameron Hutchison
camh+ubuntu at xdna.net
Fri Apr 1 06:45:02 UTC 2005
Once upon a time Anders Karlsson said...
>
> I have noticed this as well. It would appear that stdout and stderr does
> _not_ get elevated privilegies when running a command with sudo.
That's because the redirection is performed by the shell from which you
are running sudo. This shell does not have elevated permissions so it
cannot open the output file as desired.
> I tested this:
> anders at tor:~$ touch file
> anders at tor:~$ sudo chown root.root file
> anders at tor:~$ sudo chmod 0600 file
> anders at tor:~$ /usr/bin/sudo echo "1" > ./file
> bash: ./file: Permission denied
>
> This illustrates the problem and sudo needs tweaking to do what you (and
> I) want it to do.
No tweak to sudo can fix this, since the redirection occurs before sudo
is even run.
I posted an erroneous solution earlier that was:
sudo "echo 1 > /proc/sys/net/ipv4/ip_forward"
If sudo were changed to allow this, it would open up a security hole in
sudo. In Ubuntu, users get sudo privileges to do anything as root, but
if you are using sudo to give permissions to run only certain programs
to users, the ability to redirect as root overrides the necessary
permission checking.
eg. A user has permission to run apt-get as root, and nothing else. The
user runs "sudo apt-get update >/etc/passwd", and ends up destroying the
password file. Not what is wanted in a restricted root execution
environment.
More information about the ubuntu-users
mailing list